| /alcasar.sh |
|---|
| 2,6 → 2,9 |
| # $Id$ |
| # alcasar.sh |
| # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
| # This script is distributed under the Gnu General Public License (GPL) |
| # team@alcasar.net |
| # ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
| # Ce programme est un logiciel libre ; This software is free and open source |
| 10,15 → 13,11 |
| # sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
| # Voir la Licence Publique Générale GNU pour plus de détails. |
| # team@alcasar.net |
| # by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
| # This script is distributed under the Gnu General Public License (GPL) |
| # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
| # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
| # Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
| # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
| # Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
| # Options : |
| 29,13 → 28,13 |
| # testing : connectivity tests, free space test and mageia version test |
| # init : Installation of RPM and scripts |
| # network : Network parameters |
| # ACC : ALCASAR Control Center installation |
| # CA : Certification Authority initialization |
| # ACC : ALCASAR Control Center installation |
| # CA : Certification Authority initialization |
| # time_server : NTPd configuration |
| # init_db : Initilization of radius database managed with MariaDB |
| # freeradius : FreeRadius initialisation |
| # chilli : coovachilli initialisation (+authentication page) |
| # dansguardian : DansGuardian filtering HTTP proxy configuration |
| # dansguardian : DansGuardian filtering HTTP proxy configuration |
| # antivirus : HAVP + libclamav configuration |
| # tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
| # ulogd : log system in userland (match NFLOG target of iptables) |
| 42,14 → 41,15 |
| # nfsen : Configuration of Nfsen Netflow grapher |
| # dnsmasq : Name server configuration |
| # vnstat : little network stat daemon |
| # BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
| # BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
| # cron : Logs export + watchdog + connexion statistics |
| # fail2ban : Fail2ban IDS installation and configuration |
| # gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
| # msec : Mandriva security package configuration |
| # letsencrypt : Let's Encrypt client |
| # post_install : Security, log rotation, etc. |
| # post_install : Security, log rotation, etc. |
| DEBUG_ALCASAR=off; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
| DATE=`date '+%d %B %Y - %Hh%M'` |
| DATE_SHORT=`date '+%d/%m/%Y'` |
| Lang=`echo $LANG|cut -c 1-2` |
| 2345,6 → 2345,11 |
| $DIR_SCRIPTS/alcasar-uninstall.sh -full |
| fi |
| fi |
| if [ $DEBUG_ALCASAR == "on" ] |
| then |
| echo "*** 'debug' : end of cleaning ***" |
| read a |
| fi |
| # Test if manual update |
| if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
| then |
| 2386,7 → 2391,11 |
| for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
| do |
| $func |
| # echo "*** 'debug' : end of function $func ***"; read a |
| if [ $DEBUG_ALCASAR == "on" ] |
| then |
| echo "*** 'debug' : end of install '$func' ***" |
| read a |
| fi |
| done |
| ;; |
| -u | --uninstall) |
| /conf/sudoers |
|---|
| 28,6 → 28,7 |
| Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates |
| Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups |
| Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC |
| Cmnd_Alias LDAP=/usr/local/bin/alcasar-ldap.sh # to enable/disable LDAP connection |
| # Defaults specification |
| # Defaults syslog=auth |
| 47,5 → 48,5 |
| # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom |
| # %users localhost=/sbin/shutdown -h now |
| ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL,HTDIGEST,LOG_GEN |
| ADMWEB LAN_ORG=(root) NOPASSWD: NET,SYSTEM_BACKUP,SQL,BL,NF,EXPORT,RADDB,LOGOUT,UAM,SERVICE,GAMMU,SSL,HTDIGEST,LOG_GEN,LDAP |
| ADMIN LAN_ORG=(root) NOPASSWD: NET,URPMI,BYPASS,SYSTEM_BACKUP,SQL,EXPORT,SERVICE,SSL |
| /scripts/alcasar-ldap.sh |
|---|
| 8,10 → 8,7 |
| # enable / disable authentication of users via an extern LDAP server |
| # TODO |
| # - modif files "site-enabled/alcasar" + "mods-available/ldap" |
| # - add / remove "ln -s mods-available/ldap mods-enabled/ldap" |
| # - /usr/local/bin/alcasar-iptables.sh"); |
| # - /usr/bin/systemctl restart radiusd"); |
| # - modif files "site-enabled/alcasar" |
| # Modif "sites-enabled/alcasar" |
| # Configure autorize section with: |
| 23,26 → 20,16 |
| # ldap |
| # } |
| # Modif "mods-available/ldap" |
| # host = $ldap_server; |
| # identity = $ldap_user; |
| # password = $ldap_password; |
| # basedn = $ldap_base_dn; |
| # filter = $ldap_filter; |
| # uid = $ldap_filter; |
| # base_filter = $ldap_base_filter; |
| usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off}" |
| SED="/bin/sed -i" |
| CONF_FILE="/usr/local/etc/alcasar.conf" |
| LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar" |
| INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
| LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` |
| LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2` |
| LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` |
| LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2` |
| LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2` |
| LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2` |
| LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # IP address of the LDAP server |
| LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2-` # Where to find the users (cn=**,dc=**,dc=**) |
| LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` # 'samaccuntname' for A.D. - 'UID' for LDAP |
| LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2` # Filter to limit users search (not used for now) |
| LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2` # User name enable to list the directory |
| LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2` # |
| nb_args=$# |
| args=$1 |
| if [ $nb_args -eq 0 ] |
| 57,17 → 44,22 |
| ;; |
| --on | -on) |
| $SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE |
| $SED "s/^server =.*/server = ldap://$LDAP_SERVER/g" $LDAP_MODULE |
| $SED "s/^identity =.*/identity = $LDAP_UID/g" $LDAP_MODULE |
| $SED "s/^server =.*/server = ldap:\/\/$LDAP_SERVER/g" $LDAP_MODULE |
| $SED "s/^identity =.*/identity = $LDAP_USER/g" $LDAP_MODULE |
| $SED "s/^password =.*/password = $LDAP_PASSWORD/g" $LDAP_MODULE |
| $SED "s/^base_dn =.*/base_dn = $LDAP_BASE/g" $LDAP_MODULE |
| $SED "s/^filter =.*/filter = ($LDAP_UID=%{%{Stripped-User-Name}:-%{User-Name}})/g" $LDAP_MODULE |
| ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap |
| if [ ! -e /etc/raddb/mods-enabled/ldap ] |
| then |
| ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap |
| fi |
| /usr/local/bin/alcasar-iptables.sh |
| /usr/bin/systemctl restart radiusd.service |
| ;; |
| --off | -off) |
| $SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE |
| rm -f /etc/raddb/mods-enabled/ldap |
| /usr/local/bin/alcasar-iptables.sh |
| /usr/bin/systemctl restart radiusd.service |
| ;; |
| *) |
| /scripts/alcasar-uninstall.sh |
|---|
| 70,7 → 70,7 |
| [ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "5, " |
| [ -e /etc/raddb/mods-enabled/ldap ] && rm /etc/raddb/mods-enabled/ldap && echo -n "6, " #Add here other mods |
| [ -e /etc/raddb/mods-enabled/sql ] && rm /etc/raddb/mods-enabled/sql && echo -n "6bis, " #Add here other mods |
| [ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/alcasar-ldap && echo -n "7, " |
| [ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/ldap-alcasar && echo -n "7, " |
| [ -e /etc/raddb/mods-available/sql.default ] && mv /etc/raddb/mods-available/sql.default /etc/raddb/mods-available/sql && echo -n "8, " |
| [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "9, " |
| [ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf && echo -n "10, " |
| 315,9 → 315,12 |
| echo -en "\n- $func " |
| $func |
| sleep 1 |
| # echo -en " *** 'debug' : end of function $func - Hit enter ***"; read a |
| if [ $DEBUG_ALCASAR == "on" ] |
| then |
| echo -n " *** 'debug' : end of cleaning '$func' *** " |
| read a |
| fi |
| done |
| if [ $mode == "full" ] |
| then |
| echo -en "\n- network(9) : " |